Skip to main content
Version: 24.3.x

Security Bulletin 2023-07-22-02

Abstract

Potential unintended user access to restricted data as a result of accelerated DML operation.

CVSS Qualitative Rating

Affected Releases

  • Dremio 24.0.0 through 24.0.x
  • Dremio 23.0.0 through 23.1.x
  • Dremio 22.0.0 through 22.1.x

Problem Description

In Affected Releases, DML queries were accelerated and SELECT permissions on tables were not validated at query execution. Because of this, a user could perform a MERGE operation to another table and view all of its data. This was possible if a default raw reflection was enabled on that view and SELECT permissions previously granted on underlying tables in the view were revoked from the view owner.

In Fixed Releases, SELECT permissions on an underlying table are validated before a DML operation is performed.

Resolution Actions

Upgrade to a Fixed Release that resolves the issue.

Fixed Releases

  • Dremio 24.1.0 and above
  • Dremio 23.2.0 and above
  • Dremio 22.2.0 and above